- CloudSEK researchers have analyzed data gathered by XVigil to unearth the scale and scope of cyber threats targeting oil and energy companies across the world.
- The FBI recently released an official advisory, warning against the ongoing activity of Russian state-sponsored threat actors against the global energy sector.
- A majority of the energy companies targeted by cyber-attacks are based in Europe, South/Latin America, Asia Pacific, and the Middle East.
- The US was the most targeted country, followed by Brazil and France.
- There was only one post on the dark web regarding an energy company in Russia, despite the fact that Russia is a major player in the global energy sector. And oil and gas accounts for 45% of its federal budget revenue.
- There is a possibility that cyber attacks on energy companies were perpetrated by the Russian actors, given that the impacted regions are Russia’s biggest competitors in the energy industry.
Analysis and Attribution
- XVigil recorded over 120 posts in 2021 and 2022 (till March), on cybercrime forums, related to the global energy sector.
- These posts primarily advertise accesses and databases belonging to companies involved in the energy, oil, gas, power, and utility sectors.
Type of data posted on underground forums in posts related to the Oil & Energy sector
- It is worth noting that the majority of the companies targeted are based in Europe, South/Latin America, Asia Pacific, and the Middle East, with only one post regarding an energy company in Russia, despite the fact that oil and gas accounts for 45% of Russia’s federal budget revenue.
[caption id="attachment_19276" align="alignnone" width="2048"]
Map graph depicting the region-wise number of recorded cyberattacks targeting the Oil & Energy sector[/caption]
- Russia plays a prominent role in the global energy market. It is one of the top three crude producers in the world, competing with Saudi Arabia and the United States for first place.
- Our analysis shows that the US was the most targeted country, followed by Brazil and France.
FBI Warning Against Russian Cyber Actors Targeting The Global Energy Sector
- The US Federal Bureau of Investigation (FBI) recently released an official warning against state-sponsored Russian cyber actors targeting the global energy sector.
- The advisory highlighted the deployment of TRITON malware, which was seen targeting a Middle East-based petrochemical plant’s safety instrumented system in 2017.
- TRITON was developed by the Russian Central Scientific Research Institute of Chemistry and Mechanics (TsNIIKhM) which continues to conduct activities targeting the global energy sector.
- This warning was issued in light of the US indictment of a Russian national and a TsNIIkhM employee who were both involved in the attack on Schneider Electric.
Cyber Attack Against Schneider Electric
- On 24 March 2022, TRITON malware launched an attack against Schneider Electric Triconex safety instrumented system (SIS). This module is responsible for initiating safe shutdown procedures in the case of an emergency.
- By changing in-memory firmware to incorporate new programming, the TRITON virus attacks Triconex Tricon safety controllers, potentially causing facility damage, system outage, and even death if the SIS fails to perform safe shutdown procedures.
- Schneider Electric patched the vulnerability (with the Tricon model 3008 v10.0-10.4), when version 11.3 of the Tricon controller was released in June 2018. Nevertheless, older versions of the controller are still in use and vulnerable to similar attacks.
Prominent Threat Actors
- Of the energy sector threats identified by XVigil, 5 major threat actors were responsible for ~20% of the threats.
- Among the 5 threat actors, 3 actors who go by the handles “mont4na”, “babam”, and “Kristina”, were responsible for more data leaks and accesses than any other threat actor.
[caption id="attachment_19277" align="alignnone" width="1200"]
Top 5 threat actors targeting the Oil & Energy sector[/caption]
- The actor’s skillset’s lies in exploiting SQL injection vulnerabilities primarily on login panels. Previously, mont4na was actively selling vulnerabilities and asking buyers to fetch the database. But over time, his activities include posting login accesses and databases in some cases. While his targets are spread over the globe, he has only targeted reputed companies.
- The actor was inactive for a span of almost 10 months until late November 2021. However, post that, there have been more than fifty posts. The actor also deletes his advertisement once the vulnerability or the access is sold.
- Babam is an Initial Access Broker (IAB) on a Russian cybercrime forum, active in the auction section of the forum.
- The actor specializes in selling different types of accesses (including Citrix, RDP, RDWeb, VPN) from across the world.
- The actor's history, and the types of accesses advertised, indicate that the actor generally extracts credentials from the logs of info stealer malware or bots.
- The actor had a high reputation on the forum, but due to payment related issues with some buyers, they were banned from the forum on 19 October 2021.
- Kristina is a handle used by a threat group that was previously known as Kelvin Security team.
- The group uses targeted fuzzing and exploits common vulnerabilities to target victims. Being highly skilled in use of tools and having wide knowledge of various exploits, they share their list of tools and payloads for free.
- They typically target victims with common underlying technologies or infrastructure at any given time.
- The group doesn’t shy away from attention and publicly shared information such as new exploits, targets, and databases on cybercrime forums and communication channels such as Telegram.
- Recently, they started their own data leak websites where other threat actors can come and share databases.
Overview of the TRITON Malware
- The TRITON malware is known for targeting Safety Instrumented Systems [SIS] to make faults in the hardware leading to damage and eventually failure of the safety system in OT networks.
- In the past the malware has attacked Schneider Electric Triconex MP3008 main processor modules running the firmware versions 10.0-10.4.
- TRITON is not a generic malware that targets IT. Rather, it is a specially designed malware that is intended to run on a very specific SIS hardware of the attacker's choice.
- The malware is capable of exploiting zero-day vulnerabilities in device firmware to perform privilege escalation in order to complete specific tasks.
- The TRITON is human-operated malware. The threat actors initially breach the OT network and gain unauthorized access to the safety controller to deploy the malware.
Working of TRITON
- In one of the campaigns uncovered by CISA, adversaries deployed multiple assets written in Python and PowerPC programs to target PowerPC based Triconex MP3008.
- The threat actor executes a Python executable after initial entry which executes an injector to modify the firmware of the controller to append TRITON implant in memory. The implant serves the purpose of RAT.
- Upon sending a known command (trigger) to the compromised controller the implant starts executing, giving the threat actor complete control over the controller.
- The main python module has a custom implementation of the TriStation protocol used for making connections between the compromised system and the safety controller Tricon.
- The TRITON malware has the following components:
- An executable program is used to program a Tricon device without the TriStation Protocol software.
- A Power-PC based native shellcode that acts as an injector which injects the malicious implant.
- The malicious implant is a Power-PC based native shellcode capable of performing write/read operations in the firmware memory and executing code at an arbitrary address within the firmware.
- The injector has a complex logic that performs various checks to exploit 0-day vulnerabilities in the firmware, to escalate privilege to eventually write the implant in the address space of the firmware.
- Once the injector gains supervisor permissions by exploiting the 0-day, it copies the implant shellcode in the firmware address space and patches the RAM/ROM consistency check to make sure that the controller doesn't fault on firmware modification and make changes to jump table entry for a specific TriStation protocol command so that it points to the address of the copied implant.
- When the malware has successfully appended the implant in the firmware of the controller, by issuing the modified Tristation protocol command, the threat actor can invoke the implant to reprogram the controller.
- The changes made to the firmware will be persistent only in memory and will be lost when the device is reset.
Impact & Mitigation of the Cyber Attacks
- The leaked information could be used to gain initial access to the company’s infrastructure.
- If the leaked data is not encrypted it could enable account takeovers.
- Commonly used passwords or weak passwords could lead to brute force attacks.
- It would equip malicious actors with the details required to launch sophisticated ransomware attacks.
- Check for possible workarounds and patches while keeping the ports open.
- Implement a strong password policy and enable MFA (multi-factor authentication) across logins.
- Patch vulnerable and exploitable endpoints.
- Monitor for anomalies in user accounts, which could indicate possible account takeovers.
Indicators of Compromise (IoCs)